// Level 3 · Controls
Microsoft 365
CIS Microsoft 365 Foundations Benchmark
1.1.1Medium
Ensure Security Defaults is disabled on Azure Active Directory (when CA used)
Use Conditional Access for granular controls.
1.1.3High
Ensure global administrators are using a Privileged Access Workstation
Reduce admin compromise risk.
1.2.1Critical
Ensure multifactor authentication is enabled for all users in administrative roles
MFA for admins.
1.2.2Critical
Ensure multifactor authentication is enabled for all users
Org-wide MFA.
1.3.1Medium
Ensure the 'Password expiration policy' is set to 'Set passwords to never expire'
Aligned with NIST guidance.
2.1.1High
Ensure Microsoft Defender for Office 365 Safe Attachments policy is enabled
Sandbox attachments.
2.1.4High
Ensure Safe Links for Office Applications is Enabled
Rewrite/scan URLs.
2.1.7High
Ensure that an anti-phishing policy has been created
Anti-phishing in Defender.
3.1.1Critical
Ensure Microsoft 365 audit log search is Enabled
Required for incident investigation.
4.6High
Ensure modern authentication for SharePoint applications is required
Block legacy auth.
5.1Medium
Ensure expiration time for external sharing links is set
Limit shared link lifetime.
6.1High
Ensure modern authentication for Exchange Online is enabled
Block legacy auth.
6.2.1High
Ensure mail forwarding rules to external domains are reviewed/blocked
Detect data exfil via forwarding.